Understanding DNS Leaks and How to Prevent Them

You connected to a VPN, so your browsing is private — right? Not necessarily. A DNS leak can quietly hand your ISP a complete list of the sites you visit, even while everything else is encrypted. Here's how that happens and how to stop it.

What DNS does, and why leaks matter

Before your device can load a website, it has to translate the human name (example.com) into an IP address. It asks a DNS resolver to do that. The catch: a DNS query is a plain-text record of exactly which site you're about to visit, complete with a timestamp. If those queries go to the wrong resolver — or travel unencrypted — anyone in a position to watch them learns your entire browsing history, even when the pages themselves are encrypted with HTTPS.

What a DNS leak is

A DNS leak occurs when your DNS queries bypass the protection you think you have. The classic case: you connect to a VPN expecting all traffic to go through the encrypted tunnel, but your device keeps sending DNS lookups to your ISP's resolver outside the tunnel. Your web traffic is hidden; your list of visited domains is not. The VPN looks like it's working, yet your ISP can still build a complete picture of where you go.

Common causes

• VPN not handling DNS. A poorly configured or low-quality VPN doesn't override the system resolver, so lookups leak to the ISP.
• Manually set DNS servers. A hard-coded resolver (say, your router's) can take precedence over the VPN's.
• IPv6 leaks. The VPN tunnels IPv4 only, but the OS still sends IPv6 DNS queries straight out.
• “Smart Multi-Homed Name Resolution” on Windows, which queries every available resolver in parallel and uses whichever answers first — including the one outside the tunnel.
• Transparent DNS interception by some ISPs that hijack port 53 and answer queries regardless of which resolver you set.

How to test for a DNS leak

Connect your VPN, then run a multi-server DNS leak test and look at the resolvers it reports. If you see your real ISP or your home country when the VPN claims to be elsewhere, you're leaking. You can also check whether your browser supports encrypted DNS with our DNS leak & secure-DNS check, and confirm your IP isn't separately leaking via the WebRTC test.

How to prevent DNS leaks

1. Use a VPN that forces its own DNS

Reputable VPNs run private resolvers and route every query through the tunnel, often with built-in leak protection. This is the simplest, most reliable fix — choose accordingly.

2. Enable encrypted DNS (DoH/DoT)

DNS-over-HTTPS and DNS-over-TLS encrypt your lookups so they can't be read or hijacked in transit:

• Chrome/Edge: Settings → Privacy and security → Security → Use secure DNS.
• Firefox: Settings → Privacy & Security → DNS over HTTPS (set to Increased or Max Protection).
• OS-wide: Windows 11 and recent macOS/Android/iOS let you configure encrypted DNS system-wide — better than per-browser.

3. Use a privacy-respecting resolver

Point your system at Cloudflare (1.1.1.1), Quad9 (9.9.9.9) or another resolver with a no-logging policy, rather than your ISP's default.

4. Disable IPv6 if your VPN can't tunnel it

If your VPN is IPv4-only, IPv6 DNS can slip out. Either pick a VPN with full IPv6 support or disable IPv6 while connected. (Long term, prefer a VPN that handles it — see IPv4 vs IPv6 privacy.)

5. Turn off Windows' parallel resolution

On Windows, disable “Smart Multi-Homed Name Resolution” via Group Policy so the system stops querying every resolver at once.

Test, don't trust. After any VPN or DNS change, re-run a leak test. A VPN that hides your traffic but leaks your DNS is giving you a false sense of security.